## iptables.sh
## AFWall+ CustomScript & some tweaks
## Mike Kuketz
## www.kuketz-blog.de
## Changes: 25.09.2018
##
## iptables -L
## iptables -S
## iptables -L -t nat

# wait for afwall to finish it's rules
sleep 6

####################
# Tweaks #
####################
## Kernel
# Disable IPv6
echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
# Privacy IPv6 Address
echo 2 > /proc/sys/net/ipv6/conf/all/use_tempaddr
echo 2 > /proc/sys/net/ipv6/conf/default/use_tempaddr
## System
# Disable Captive Portal - Android Oreo 8
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
# Disable Global NTP Server
settings put global ntp_server 127.0.0.1

####################
# iptables #
####################
IPTABLES=/system/bin/iptables
IP6TABLES=/system/bin/ip6tables

####################
# Defaults #
####################
# IPv6 connections
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -P OUTPUT DROP

#####################
# Special Rules #
#####################
# custom NTP-Server: ntp3.dismail.de
$IPTABLES -t nat -A OUTPUT -p tcp --dport 123 -j DNAT --to-destination 78.46.223.134:123
$IPTABLES -t nat -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 78.46.223.134:123

# custom DNS server dns2.digitalcourage.de for all networks except home (w.x.y.z /xy)
$IPTABLES -t nat -I OUTPUT ! -s (w.x.y.z /xy) -p tcp --dport 53 -j DNAT --to-destination 46.182.19.48:53
$IPTABLES -t nat -I OUTPUT ! -s (w.x.y.z /xy) -p udp --dport 53 -j DNAT --to-destination 46.182.19.48:53
